“Verified by Visa” is the worst security feature ever

I’m not the kind of guy who falls for those super-obvious identity theft scams. I live online, I work in IT and I don’t really like sports. I’m pretty careful when it comes plugging my credit card into the internet.

But last month, when I was stuck for rail tickets in Europe, I thought I’d slipped up. Turns out, it was just a “security feature.”

Here’s the story: Last month, my girlfriend and I had some trouble with our train tickets. Crouching on a hostel bunkbed, hands cramping on the tiny Eee PC keybaord, I was already in a bad mood about having to shell out another ₤180 for new train tickets.

But I was at the official Eurostar website, so at least I wasn’t worried about getting scammed.

Begrudgingly, I entered my name, address, credit card, CVC number, etc. I clicked “Proceed” and was redirected to a third party site, with my bank’s logo on it. And great, it’s asking me for my financial information again!

This screams “phishing scam” to anyone that ever bothers to look at the address bar in their browser.

So after few panicked phone calls to the Visa Fraud line, the Eurostar people and my bank, I find out that not only is my identity safe and sound, SecureSuite.net and their “Verified by Visa” program is legitimate.

Visa really dropped the ball here. This is a terrible security strategy, and here’s why:

People, especially people that aren’t very tech savvy, are trained to not enter any financial information online when the website in the address bar looks fishy. A good example of “looking fishy” would be when a website in the address bar has absolutely nothing to do with the website you think you’re visiting. In this example, SecureSuite.net has nothing to do with any of the organizations I’m dealing with: Eurostar, Visa, or my bank.

Here are three steps Visa could take to fix this process:

Ditch SecureSuite.net. This is not a familiar name. I have a Visa card, and an RBC account — I don’t have any association with some company called “SecureSuite.” Everything needs to go through domains owned by one of the companies I’m familiar with, and that I trust.

Publicize this. Send emails to customers, make phone calls, hand out pamphlets. Your new security features should never look like a scam — and part of the reason this looked so much like a scam is that I’d never heard of Verified by Visa.

If you absolutely must have vendors, like Eurostar, redirect customers to a domain that they aren’t going to recognize, make sure they give a warning. Even something simple, like “You will now be redirected to our security partners, SecureSuite.net. This is intended, and is not a browser hijack.”

Nope, not a Canadian thing. I was using a European site the first time I saw it.

One of the biggest problems is that it’s not standard procedure — some sites implement it, others don’t.

Visa is trying to pass the buck for online fraud to vendors: they want to make the argument that vendors should protect customer finances by using Verified by Visa — which is really just another password, and not much of an increase in security anyhow.

Almost the exact same thing happened to me (just now in fact; which is why I’m posting here).

On making a transaction I was prompted to set up a verified by visa password etc (although I’ve done it before–go figure) and after I was sent an email from “barclays@securesuite.net” which totally freaked me out.

I’m glad somebody’s already inquired into this; this is a very helpful post! Thanks!

I just encountered the Verified by Visa program a second time, and while it met many of the standards you advocated above, I still think it’s a bad security practice to have someone enter in ANY sensitive private data (I had to enter my social security number last 4 digits and my postal code) into any site other than that of the financial institution itself. I was at the site of a retailer I trust, and the URL was (and yes you are correct, we are trained to look) was entirely normal for this retailer’s web site. I was advised that the form was being served by the bank, however, the masthead was branded with the retailer, and the URL was that of the retailer. If Visa trains people to accept this kind of validation process, they expose themselves to fake web sites and unscrupulous web retailers who might take advantage of this new norm to gain the confidence of users and capture from them sensitive account information. Thus, the Verified by Visa program could actually result in reduced security and increased incidence of fraud. I think this was thought up as a punt by some suits who don’t understand the theories of online security. I have a proposal that Visa could use to achieve the same goal with real security:

Visa should provide OpenID service. I sign up for an OpenID account at Visa, they verify my identity, linking it to my bank account / credit card. I sign in with my Visa OpenID (or another OpenID I have added to my validated Visa ID) at my retailer’s web site (during which, of course, I’m taken to the Visa page to enter my password). I can then make my purchse normally, entering in my CC number, expiry date and security number like I always do. This models establishes a trust relationship between the customer, retailer and financial institution in a secure way.

I thought this was abit weird but i needed the product so bad, i then kept on recieving emails and i suddenly missed a heart beat, thought to my self, what have i done. It looked like a scam why did i type my details in??
I quickly googled verified by visa etc.
Turns out its fine but scared me!
Open ID FTW

I just phoned RBC Visa because my spidey-senses went off when I saw the centresuite URL and they refused to verify or deny whether centresuite is the third-party that manages this service for them. All I kept getting was “I can’t confirm that because I can’t see what you’re seeing”. And “Verified by Visa is the third-party”. I can understand the hesitance to give me the go-ahead, but the question was a simple one. When I told her that I couldn’t possibly be the only one who was given pause by the third URL that was completely unrelated to either RBC or the company from whom I was making my purchase she said she’d never heard an inquiry. It’s good to see that there are other rational and reasonably cautious people out there.

I made my purchase, but I will be writing a letter to express my surprise and disappointment in this horribly ill conceived “security feature”.

I had the same exact thoughts when I saw the same exact things on a purchase I made today. Thank you for clearing this up.

In regards to Nick’s concern about this Mr. Yaron Shohat individual – From LinkedIn, he’s the “Head of Online Threats Business Unit at RSA, The Security Division of EMC” and was originally form Cyota (which the WHOIS report also notes).

Verified by Visa was a solution of Cyota (SecureSuite – Processor Edition), which was bought by RSA Securty.

Hey would you mind stating which blog platform you’re using? I’m
going to start my own blog in the near future
but I’m having a tough time selecting between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for something completely unique.
P.S Apologies for being off-topic but I had to ask!

heʏ there and thаnk you forr your info – I have defіnitely picked up anything new from right here.
I ddid however expertise some technical poins using this site, ѕince
I experienced tо reload the site a lot of times previous to I could get it too load properly.
I had been wоndеring if your web host is OK? Nⲟt that I am complaining, but sluggіsh loading instances times will
оften affect your placement in gooǥl and ccan damaǥe
your high-quality score if advertising and marketing with Adwords.

Anyway I аmm adding this RSS tօ my e-mail and could
lok out for much more oof your respесtive fascinating content.
Make sur you update this again ѵery soon.